Date: Wed, 20 Aug 2003 11:46:02 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 36510 for review Message-ID: <200308201846.h7KIk2ra083805@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=36510 Change 36510 by cvance@cvance_osx_laptop on 2003/08/20 11:45:39 Try using only the dynamic sysctl interface. This requires pre-defining some structures and initializing/registering sysctls at framework initialization time. Add some (mostly) bogus atomic int operations. No clue whether they really are atomic on G{3,4,5} processors. We only use them for debugging counters, so it's mostly safe. Export mac_init and mac_late_init Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#15 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#15 (text+ko) ==== @@ -97,6 +97,16 @@ if (vp && !VOP_ISLOCKED(vp)) \ Debugger("vnode lock violation.\n"); +#define atomic_add_int(P, V) (*(u_int*)(P) += (V)) +#define atomic_subtract_int(P, V) (*(u_int*)(P) -= (V)) + +struct sysctl_oid_list sysctl__security_children; +SYSCTL_DECL(_security); +SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW, 0, + "Security Controls"); + +struct sysctl_oid_list sysctl__security_mac_children; +SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); @@ -187,6 +197,8 @@ "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG +struct sysctl_oid_list sysctl__security_mac_debug_children; +SYSCTL_DECL(_security_mac_debug); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); @@ -197,16 +209,18 @@ TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); +struct sysctl_oid_list sysctl__security_mac_debug_counters_children; +SYSCTL_DECL(_security_mac_debug_counters); SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, "TrustedBSD MAC object counters"); -static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, - nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes, nmacprocs; +static unsigned int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0, + nmacsockets=0, nmacmounts=0, nmactemp=0, nmacvnodes=0, nmacdevfsdirents=0, + nmacipqs=0, nmacpipes=0, nmacprocs=0; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, +SYSCTL_INT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); @@ -489,7 +503,7 @@ /* * Initialize the MAC subsystem, including appropriate SMP locks. */ -static void +void mac_init(void) { @@ -498,6 +512,37 @@ mac_policy_mtx = mutex_alloc(ETAP_NO_TRACE); cv_init(&mac_policy_cv, "mac_policy_cv"); + + sysctl_register_oid(&sysctl__security); + sysctl_register_oid(&sysctl__security_mac); + sysctl_register_oid(&sysctl__security_mac_max_slots); + sysctl_register_oid(&sysctl__security_mac_enforce_fs); + sysctl_register_oid(&sysctl__security_mac_enforce_kld); + sysctl_register_oid(&sysctl__security_mac_enforce_network); + sysctl_register_oid(&sysctl__security_mac_enforce_pipe); + sysctl_register_oid(&sysctl__security_mac_enforce_process); + sysctl_register_oid(&sysctl__security_mac_enforce_socket); + sysctl_register_oid(&sysctl__security_mac_enforce_system); + sysctl_register_oid(&sysctl__security_mac_enforce_vm); + sysctl_register_oid(&sysctl__security_mac_mmap_revocation); + sysctl_register_oid(&sysctl__security_mac_mmap_revocation_via_cow); +#ifdef MAC_DEBUG + sysctl_register_oid(&sysctl__security_mac_debug); + sysctl_register_oid(&sysctl__security_mac_debug_label_fallback); + sysctl_register_oid(&sysctl__security_mac_debug_counters); + sysctl_register_oid(&sysctl__security_mac_debug_counters_mbufs); + sysctl_register_oid(&sysctl__security_mac_debug_counters_creds); + sysctl_register_oid(&sysctl__security_mac_debug_counters_ifnets); + sysctl_register_oid(&sysctl__security_mac_debug_counters_ipqs); + sysctl_register_oid(&sysctl__security_mac_debug_counters_bpfdescs); + sysctl_register_oid(&sysctl__security_mac_debug_counters_sockets); + sysctl_register_oid(&sysctl__security_mac_debug_counters_pipes); + sysctl_register_oid(&sysctl__security_mac_debug_counters_procs); + sysctl_register_oid(&sysctl__security_mac_debug_counters_mounts); + sysctl_register_oid(&sysctl__security_mac_debug_counters_temp); + sysctl_register_oid(&sysctl__security_mac_debug_counters_vnodes); + sysctl_register_oid(&sysctl__security_mac_debug_counters_devfsdirents); +#endif } /* @@ -505,7 +550,7 @@ * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ -static void +void mac_late_init(void) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308201846.h7KIk2ra083805>